To safeguard your organization from persistent cyber threats, look beyond technology and focus on educating your people, says prominent cybersecurity expert and ethical hacker Jamie Woodruff....
When organizations look to tackle cyber threats, they put a big focus on technology and forget about people. What I want organizations to realize is that, while we need technology, your people are your first and last line of defense.
I have uncovered numerous physical security weaknesses – in both the public and private sectors – by focusing on the realm of social engineering and the human aspect of cybersecurity, infiltrating targeted organizations to unearth existing exploits.
Through my extensive experience, I know that your people are under attack by organized criminals like never before. These criminals use social engineering to understand who your employees are. They spend months understanding their habits and their strengths and weaknesses, and they use this information to gain access to your organization’s most important asset – your data – with devastating consequences.
According to Verizon’s 2022 data breach report, ransomware attacks have increased by 13% in the past five years. The first half of 2022 saw nearly 236.7 million ransomware attacks worldwide, the average cost of which was $1.85m. Despite their best preventative efforts, ransomware breaches took 49 days longer than average to identify and contain. And they are costly. The 2024 State of Ransomware report found some 46% of ransomware victims estimated business losses to be $1-10 million as a result of an attack, with 16% reporting losses of over $10 million.
To give you an example: the National Health Service (NHS) in the UK suffered a $100m loss due to the WannaCry ransomware attack in 2017 – a massive global cyber strike that affected around 230,000 different machines in 150 countries. More than 19,000 NHS appointments were canceled as a result.
Ransomware is also affecting critical national infrastructure. A recent ransomware attack saw Russian-linked cybercriminals target the British financial system. The incident affected 42 of ION Trading UK’s customers with many European and American banks and brokers compelled to handle trading deals manually. According to the affected brokers, the disruption affected crucial operations such as margin calls and regulatory reporting on major market positions.
People tend to picture a hacker as Warlock from Die Hard, trying to take over the world from a basement. That’s the stereotype. The reality is that it is most likely a disgruntled former employee or a third-party organization tasked with processing your data that is compromising your organization’s security, and not a lone wolf.
In the past, hackers would get into, then out of, an organization quickly – that is no longer the case. Some hackers spend years inside an organization, leaving the back door open and inviting criminals to bid for access to your information.
What we are facing today is serious organized criminals reaching out to your employees asking them to deploy ransomware on their behalf.
In the late 90s, it was all about viruses, malicious code, trojans, and advanced worms. Cyberattacks didn’t tend to use ransomware, even though it has been around for a long time. From 2004 to 2007 we saw identity theft, and from 2007 to 2010 we saw the rise of botnets. Since 2010, it has been about all social engineering. According to Verizon’s 2024 data breach report, 68% of breaches involve a non-malicious human element, like a person falling victim to a social engineering attack. You can have all the technology in the world to ward off attacks but if I watch you for six months and I know your habits and where you hang out, there is a lot of interesting information that can be utilized to lure employees in –this is how organizations are being compromised.
“It always falls back to human error, no matter what.”
Malicious individuals normally message employees on WhatsApp, Signal, or Telegram to gather information. They promise a payout once the individual has deployed the ransomware within his or her organization and the organization pays the requested ransom.
And the tactics are becoming more and more sophisticated. One startling example is a case of juice jacking – a type of cyber-attack involving a charging port that doubles as a data connection typically over USB. One organization asked me to investigate an employee whose technology kept repeatedly getting infected with Ransomware. After spending a few days with him, it turned out that his e-cigarette charging cable was being used as a data controller to send and transmit information. During the investigation, we discovered that malicious actors had set up a store on wish.com and targeted employees of the company with paid marketing over social media to encourage them to buy that charging cable.
It pays to be hyperaware. Employees should be educated about the many ways that they can fall victim to organized criminals on a daily basis. These are some of the most common attack vectors that criminals use that could potentially lead to data getting compromised. Here are 10 to watch out for:
Beware of people impersonating an individual to get sensitive information. Fake audio and video are increasingly easy to make – and incredibly accurate.
It takes just 11 seconds to gain valuable information from your laptop, so be aware of people trying to divert your attention from your computer, even for a short while.
Domain names similar to the organization’s are purchased to launch attacks, so it’s important to educate your employees on what to look out for.
Criminals drop branded USB pens to be picked up by targeted employees in the hope that they will be plugged into company devices. Emphasize just how important it is not to plug in unknown devices and to be aware of everything they plug into company assets.
Criminals listen to conversations to extract information that could be useful during the attacks or at a later stage. Be aware of not sharing sensitive information, even around seemingly unrelated people such as waiters or delivery men.
Criminals print identification cards to impersonate an employee within the organizational structure. Pay close attention to this and to your security access points, which can be easily compromised by tailgaters.
Be careful of the QR codes you scan. Malicious links with QR-generated images could download droppers or trojans onto a user’s device
A man-in-the-middle (MITM) attack refers to when a perpetrator positions himself in a conversation between a user and an application – either to eavesdrop or impersonate. A common way to do this is via free WiFi networks at hotels, airports, and cafes. Make sure your employees always connect over a VPN when traveling.
A social engineer will offer a service such as tech support to trick the user into handing over sensitive information, such as login credentials. Encourage your employees to question unsolicited and unexpected offers of support and to verify the identity of the user before handing over information via the telephone or email.
This happens when a malicious actor bombards the victim with fake malware attacks, such as pop-ups that appear on a user’s screen or spam email attacks and “scaring” them into paying for software that purports to fix the problem but contains malware designed to steal data. Constant education of these various attack tactics is essential to ensure staff don't fall foul of these attempts.
This article is inspired by a keynote session at IMD’s Orchestrating Winning Performance in Lausanne, which brings together executives from diverse sectors and geographies for a week of intense learning and sharing with IMD faculty and business experts.
Widespread bias and lack of inclusivity across the tech world deters women from pursuing careers in the sector. This is a significant business risk. Here are some practical actions every reader can...
Concerns over the ‘unpredictability’ of AI are widespread, but Industrial AI proves the value proposition of this tool, says Öykü Işık. This article explains how to build security into your strategy....
Business leaders at this year’s World Economic Forum sought to block out the political noise and focus on what’s happening in the real economy....
When the British Library fell victim to a major ransomware attack it opted for a policy of full transparency. Here we outline what government organizations, NGOs, and businesses can learn from the...
